VBScript “shortcuts” virus removal

Everybody likes music, so many people are downloading music albums or collages from untrusted sources be they illegal torrents containing copyrighted material, P2P networks or files hosting websites. After downloading and unpacking the archive we can see the folder is containing more files than the supposed music files, in our example:

- an autorun.inf file;

- an autorun.exe file;

- a VBScipt file in our example 2.vbs;

- the real music files, the songs respectively;

- shortcuts with the same name as the songs;

It is a VBScript virus, very annoying but simple to remove manually. I dare to say it is simpler to remove manually than with an antivirus software which is bypassed very easy by this kind of viruses. Here we go, the folder structure is like this:

Seeing the autorun files we can deduce that this infection method is especially created to infect the USB drives/thumbs, knowing that very often the music is copied on USB drives for sharing. Every time an USB drive is plugged into the infected computer, the virus which is resident in memory, copy its components on that USB thumb and infect it, besides that it produces infected shortcuts for files and folders found there and inverse, every time an infected USB drive is plugged into a clean computer with Autorun feature enabled, the virus run automatically and copy its components in several locations in the computer ensuring also their automatic startup, this way the virus is spreading like a computer worm virus. For who does not know, a computer with Autorun feature enabled will always execute the autorun.inf file automatically when the USB drive is plugged in.

The main component of this virus is the malicious VBScript file, named here 2.vbs which comes in an encoded form, this is part of it:

but before we must kill the wscript.exe process from Task Manager, otherwise we will encounter an error saying that the files can not be deleted because it is used by Microsoft Windows Script Host(WSH). Why? VBScript files are not standalone applications, standalone executables, they must be executed(interpreted) by a Windows component–WSH which appears in Task Manager as wscript.exe process. We will never see a VBScript file as a process but instead its interpreter, wscript.exe.

* Creates value “Mozilla Corporation.exe=C:\Users\Cyberstorm\AppData\Local\Temp\tmp7062.tmp.exe” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run binary data=43003A005C0055……3005C0043007900 <– a new entry in the registry for automatic startup

Fortunately, this component has not a hidden process, we will see it as tmp7062.tmp.exe process in Windows Task Manager, we can end the process and delete it from temporary folder. Be aware of the name, it’s tmpXXXX.tmp.exe, in reality it is autorun.exe camouflaged.

But what is the role of the created shortcuts? The shortcuts are used as infection vectors. If we take a close look on the Properties of the shortcuts(right-click>Properties>Shortcut>Target) we see this command(shortcut Target) for example for Gold Cobra.mp3:

Using cmd.exe Windows component, it’s started first 2.vbs which is in the same folder as the shortcut and will infect the system and then Gold Cobra.mp3 song which is also in the same folder. Because of mp3 extension, the system will start automatically the program associated with it, let’s say Windows Media Player tricking the user that everything is OK.

For the folders, let’s take as example shortcut for Limp Bizkit folder, the Shortcut Target is:

These paths of the files are for Windows 7, for Windows XP the paths may be different however the folders are the same, Temporary and Startup folder. You can also delete the automatic startup registry entries but these are not dangerous anymore if you delete the files above mentioned, if you are afraid to delete manually from the registry you can use a registry editor or a program able to control startup programs, you can use also in Windows 7, Run>then type “msconfig”(without quotes)>Startup.

To prevent such kind of infections in the future you can do two things:

- The second thing you can do to avoid such USB drives/thumbs infections is to “immunize” the USB drive, to inject a “vaccine” on it which is practically a dummy autorun.inf file with Read Only property. In this way, a virus can not write its own autorun.inf file on that USB drive because it’s there already one that can not be deleted. You can use several programs for this task: